Terms and Conditions

For Grant and Contribution Funding under the Cyber Security Cooperation Program

Authority

The Minister's authority to make transfer payments is provided for by section 6(1)(c) of the Department of Public Safety and Emergency Preparedness Act, S.C. 2005, ch.10. Sections 4(1)(m), (o), (p) and (q) of the Emergency and Management Act assigns responsibility to the Minister for such things as promoting the adoption of standards and best practices and the conduct of research with respect to emergency management while section 6(1) assigns responsibility to the Minister to identify the risks that are within or related to his area of responsibility. The Cyber Security Cooperation Program (CSCP) aims to improve the cyber security posture of Canada by making funding available to eligible Recipients defined in these Terms and Conditions.

Purpose

Public Safety and Emergency Preparedness Canada's (PS) CSCP contributes to the federal government's leadership role in promoting cyber security. More precisely, the CSCP will support projects intended to improve the security of Canada's vital cyber systems by increasing industry access to and the availability of assessment tools and methodologies, best practices and guidance documents and, will support academic research and the development of alternative measures. By enabling collaboration with the private sector, academia, other level governments, non governmental organizations, and industry associations, the CSCP will contribute to furthering the Government's objective to help secure vital cyber systems outside the federal Government as stated in the second pillar of Canada's Cyber Security Strategy and support the Strategy more broadly.  

Definition

In the context of the CSCP, a vital cyber system is an information technology system that underpins the critical infrastructure of Canada which if compromised, disrupted or caused to fail would have a significant negative impact on the national interest. The critical infrastructure of Canada refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.

Duration

The current terms and conditions for the CSCP will be valid from their approval by Treasury Board until March 31, 2019.

Objectives and Key Results

The CSCP is comprised of the following three streams in support of the overall objective:

  1. Increased access to and availability of tools and methodologies for assessments of cyber system vulnerabilities (Cyber Security Assessments):
    Provides funding to develop, adapt or otherwise increase the availability and access of cyber security assessment tools and methodologies for owners and operators of vital cyber systems, including critical infrastructure. The assessments conducted using these tools will provide owners and operators with detailed plans to improve their cyber security posture. This stream will be funded by contributions, and will be cost shared with Recipients and/or other external funders.
  2. Supporting the development and dissemination of cyber security best practices and of cyber security research (best practices and research):
    Provides funding support to explore existing standards and best practices and develop best practices for critical infrastructure sectors that represent vital cyber systems. Supports research and related activities (such as knowledge transfer) on pressing cyber security questions for which knowledge gaps exist; and aims to better connect the research community with officials responsible for national security, the private sector, as well as bring the new knowledge to the general public. This stream will be funded by grants and contributions and could be cost shared with Recipients and/or other external funders.
  3. Supporting alternative measures to safeguard vital cyber systems (alternative measures):
    Provides funding to support other activities that contribute to improving the resiliency of vital cyber systems outside the federal Government. Such activities include workforce development initiatives to ensure that vital cyber systems owners and operators can rely on security professionals at the forefront of their field; events such as workshops or conferences to bring more attention to specific cyber security issues; and private sector specific awareness raising initiatives to facilitate the dissemination of relevant cyber security information.  This stream will be funded by contributions and will be cost shared with Recipients and/or other external funders.

Key Results

Results under the CSCP are expected in the short, medium and long term.

Short term/Immediate

The short term outcomes for the CSCP are improved stakeholders' awareness of cyber security issues, the role of PS and the Canadian Cyber Incident Response Centre (CCIRC); increased availability of and access to assessment tools and methodologies to assess vital cyber systems; increased availability of best practices and guidelines; the undertaking and dissemination of new and innovative research projects; and increase in workforce development activities.

Cyber Security Assessments:

Best Practices and Research:

Alternative Measures:

Medium term/Intermediate

The intermediate outcomes of the CSCP are the improvement of the cyber security posture of owners and operators of vital cyber systems through the use of assessment tools and methodologies, best practices and guidelines, and workforce development activities, and the development and dissemination of knowledge.

Cyber Security Assessments:

Best Practices and Research:

Alternative Measures:

Long term/Ultimate

Class of Recipient 

Grants and Contributions may be provided to the following classes of Recipients (Grants will not be provided to for profit institutions):

  1. Owners and Operators of vital cyber systems including but not limited to, owners and operators of Canada's critical infrastructure as defined by PS;
  2. universities and educational institutions in Canada;
  3. research institutions with capacity in the relevant field in Canada;
  4. national, provincial, territorial, local, or professional organizations, societies and associations which have voluntarily associated themselves for a not for profit purpose, and have a mandate to represent their membership or community;
  5. provincial, territorial and local governments and authorities;
  6. non governmental organizations in Canada, including bodies associated/affiliated with organizations of which Canada is a member, which have a mandate related to public safety;
  7. not for profit organizations and associations serving the private sector; and,
  8. Canadian individual researchers and professionals deemed appropriate by the department.

Eligible Activities

Activities eligible for support must be aligned with project goals and objectives and may include the following:

Cyber Security Assessments:

Develop, adapt or otherwise increase the availability and access of cyber assessment tools and methodologies for owners and operators of systems of vital cyber systems. 

Best Practices and Research:

Alternative Measures:

Type and Nature of Eligible Expenditures

Funds may be used only for costs directly related to the activities of the project identified in a budget approved by the Department.

Eligible expenses include:

  1. salaries and wages for permanent or temporary professional, clerical, technical and administrative services, and stipends (including expenses for international staff);
  2. consultation fees, and audit fees;
  3. conference room and meeting room rentals;
  4. office equipment and minor capital acquisitions net of disposal (less than $5,000 per acquisition);
  5. reasonable travel and living expenses related to the delivery of the project, including transportation rental fees;
  6. honoraria, defined as time limited remuneration for a volunteer service or participation in project delivery that is consistent with, and essential to the attainment of, the project's objectives;
  7. computer services, library expenses, research costs and collection and analysis of statistics;
  8. public awareness and educational activities consistent with the project's objectives;
  9. translation and simultaneous interpretation activities;
  10. hospitality (meals and refreshments)*
  11. shipping charges, postage, licenses, and other fees; and,
  12. federal and provincial taxes only after credits and reimbursements have been considered.

Other eligible expenses:

These costs may be proportionally applied and must be explicitly defined by the recipient, in writing, in the budget request. These expenses should not exceed a combined total of 15% of total Public Safety funded eligible project costs:

Ineligible Costs

* Food and refreshment may be considered eligible costs in the context of research projects where focus groups are undertaken.

Stacking

Where possible and appropriate, the costs of an eligible activity will be shared with the Recipient and/or with external funders. In such cases, total Government funding (federal, provincial and local) may not exceed 75%. 

When reviewing proposals for funding, departmental officials will ensure that contributions made under the funding program will not cover expenses already covered through another funding program or strategy. 

The Program will require all Recipients of grants and contributions to disclose all confirmed and potential sources of funding (government and non government) for a proposed project before the start and at the end of a project. 

Method Used To Determine Funding Levels

The availability of Program funds and the number of successful applicants will be used to determine the amount the Recipient is eligible to receive. In addition, the review criteria of the CSCP may also be used to determine the level of funding provided.  Allocations of funding between the various streams may vary depending on the priorities of the CSCP.  

Maximum Amount and Period

The maximum amount of contribution funding to any for-profit business cannot exceed $100,000 annually.

The maximum amount of funding awarded through grants cannot exceed $150,000 annually.

Grants or contributions payable to each Recipient will be limited by the vote appropriated for this purpose, and the grants ceiling of $150,000. Accordingly, the maximum amount payable to any one recipient will not exceed $300,000 per year for contributions or $150,000 per year for grants, and no project will extend beyond March 31, 2019. Project assistance is provided only at the minimum level to further the attainment of the Program objectives and expected results.

The CSCP Program review authorities will examine project activities and eligible expenditures and determine the minimum level of assistance required to attain objectives. It will examine costs and take into consideration similar projects and other sources of funding.

Repayable Contributions

Repayable contributions will not be made through this Program's terms and conditions. Any contributions made to for profit businesses are not intended to allow the business to generate profits or to increase the value of the business. The contributions are intended to 1) leverage funds to increase the availability and access of cyber assessment tools for owners and operators of vital cyber systems, and 2) support measures designed to enable the development of best practices, workforce development, and research related activities (such as knowledge transfer) to cyber security questions for Canadian government and society about cyber security.

Reporting Procedure

PS will ask recipients to share copies of any literature, reports or other products produced in the course of the initiative and/or research project, and the agreement will define for the recipient the required activities reporting on accomplishments,  requirements for financial statements (audited, if appropriate), and current and/or future years' budgets.  The recipient may also be required to provide additional supporting documentation (e.g. receipts, purchase orders, materials or products produced). The recipient should also have a plan for monitoring, regular reporting, evaluation and dissemination of the final results of the initiative and/or research project or evaluation conducted. 

To assist in determining the effectiveness of the contribution relative to PS objectives, the project manager will review and document the overall activities of the applicant during the previous year, and file relevant copies of reports, proceedings of conferences and special studies or projects undertaken.

Basis of Payment

Grants:

Payments will be issued by instalments based on materiality and project duration.

Recipients must meet and continue to meet the specific terms and conditions of the Grant Agreement prior to payments being made.

Project/performance reporting will be required of the recipient.

Contributions:

Payments and minimum holdback provisions will be based on a Risk Assessment of the Recipient.

Progress payments will be issued to reimburse the Recipient for expenditures made and will be based upon receipt and acceptance by the Department of interim financial and project reports.

Where advances are required, they will be issued based on the cash flow requirements of the Recipient.

Recipients must meet and continue to meet the specific terms and conditions of the Contribution Agreement prior to payments being made.

A final payment will be made only upon receipt and acceptance of final financial following receipt of an attestation from the Recipients' auditors and/or accountants, project and/or evaluation reports. Where deemed necessary, based on the risk assessment, audited financial reports will be requested for the project. 

Application Process and Requirements

Funding will be mostly allocated through competitive process (solicited proposals). Therefore, Calls for Proposal will be posted on the PS website and will provide specific guidelines and forms required for the application.

Unsolicited proposals could be considered at the discretion of the CSCP. It is highly recommended for this type of proposal to consult with the CSCP to discuss the project prior to submission.

The following will be required of all applicants in order for the Department to consider a project proposal:

The application must clearly describe the activities and desired outcomes of the projects. These must relate to the objectives and key results of the CSCP.

The supporting material would include:

In addition, to prevent the risk of conflict of interest, the recipient must:

Review Process

Proposals for consideration under the CSCP will be reviewed against Program criteria by the selection committee chaired by the Director of Engagement and Partnerships, of the National Cyber Security Directorate (NCSD) or their delegate, and made up of officials from federal departments and agencies responsible for cyber security, appointed to the selection committee by the Department's Senior Assistant Deputy Minister, National Security.

Funding amounts will be determined based on an assessment of the recipient's planned activities and budget submission, previous financial performance, and capacity of the recipient to achieve results. The availability of the CSCP funds and the number of successful applicants will also be used to determine the amount the recipient is eligible to receive.

In reviewing the eligibility of recipients for grants, NCSD will use the following criteria:

In reviewing and recommending proposals, NCSD will take into consideration, as applicable and appropriate:

  1. The extent to which the project would directly support and advance the objectives of the relevant stream of the CSCP as stated in this document;
  2. the extent to which the project benefits industry sector(s) or subsector(s):
  3. the extent to which the project results can be used across various industrial sectors;
  4. the extent to which the outcomes of the project can be leveraged in subsequent work;
  5. the extent to which it is demonstrated that the proposed project is evidenced based and could advance the strengthening of Canada's cyber resiliency;
  6. the amount of funding requested relative to the amount of resources available from the Department in any given year and whether expenses outlined in the proposal are eligible and reasonable;
  7. the ability of the applicant to develop, implement, manage, monitor, document and evaluate activities within the specified timeframe and budget;
  8. the Department's previous experience in working with the applicant, the degree of collaboration and the quality of and success of the project(s);
  9. the degree of involvement of the applicant, the level of support of provincial/territorial governments, federal departments and agencies, other stakeholders and partners relevant to the project;
  10. the project's potential for portability and for building on the existing knowledge base as related to Canada's cyber resiliency;
  11. the type, extent and distribution plans for report(s) or other material produced;
  12. the ethical implications of the project;
  13. how the proposal has the explicit support of relevant communities ;
  14. how the recipient seeking support occupies a credible and strategic position relevant to cyber security for the purpose of the project/initiative; and
  15. the proposal includes a plan for monitoring, regular reporting, evaluation and dissemination.

In reviewing and recommending proposals, NCSD will have evaluation criteria for each call for proposals and category. In addition to the eligibility criteria and priorities identified under each stream, applications will be assessed on their merit, level of risk, and alignment with the Program objectives.

Performance Measurement Strategy

The CSCP will contribute to ensuring that systems of importance to the Government of Canada are secure, one of the long term outcomes of Canada's Cyber Security Strategy and its related intermediate outcome of increasing the national-level collaboration on cyber security.

Expected Results

Key performance measures and indicators

Systems of importance to Canada are secure

  • Percentage of identified cyber security risks significant to Canada for which mitigation strategy is developed.

National-level collaboration on cyber security

  • Percentage of identified partners reached through engagements activities.
  • Number of agreements with partners who expressed interest established against the target.
  • Number and types of products and services resulting from collaboration with identified partners.

PS will draw on the horizontal performance measurement strategy for the Canada's Cyber Security Strategy to ensure that appropriate indicators are established and to promote an effective evaluation of the program. During the first year of the CSCP, PS program managers will amend the horizontal performance measurement strategy to include specific expected results and indicators. The results and indicators will be developed by PS program staff in accordance to the Treasury Board Canada Secretariat Guideline on Performance Measurement Strategy under the Policy on Transfer Payments. PS will complete a baseline environmental scan on assessment tools and best practices in 2013 and update it in 2019 to allow for comparison. Comparing the results of the two exercises will provide PS with an indication of the success of the CSCP in increasing industry access to methodologies, guidance tools and technologies intended to improve the security of Canada's vital cyber systems.

To measure program success, PS could consider using proxy measures. Examples of such measures could include the number of requests or downloads for an assessment tool or a best practice developed with the support of the CSCP, or the number of times CSCP sponsored research is cited in other work.

Official Languages

Ensuring, when transfer payment programs support activities that benefit members of both official language communities, that the Recipient's design and delivery respects the obligations of the Government of Canada as set out in Part VII of the Official Languages Act and that services and benefits are made available in both official languages in compliance with the Official Languages Act.

Contribution agreements signed with Recipients will include a clause guaranteeing that communications with and services to the public will be in both official languages, according to the Treasury Board's policies and directives on official languages.

Public access to Government and non-governmental websites in both French and English, as well as access to French and English Media (written and visual) where public education and awareness messages will be displayed, should be considered to  promote the use of both official languages in Canada. 

Intellectual Property

If a project produces intellectual property, the Recipient retains copyright for any work produced under the contribution agreement. However, in situations where the Department wishes to use the intellectual property produced by a Recipient, additional clauses may be included in the contribution agreement or the Department may negotiate a licence with the Recipient.

Date modified: